---
title: Generating provenance statements
---

You can generate provenance statements for the packages you publish. This allows you to publicly establish where a package was built and who published a package, which can increase supply-chain security for your packages.

## About npm provenance

npm provenance includes two types of attestations:

- Provenance attestation
- Publish attestation

The provenance attestation is established by publicly providing a link to a package's source code and build instructions from the build environment. This allows developers to verify where and how your package was built before they download it.

Publish attestations are generated by the registry when a package is published by an authorized user. When an npm package is published with provenance, it is signed by Sigstore public good servers and logged in a public transparency ledger, where users can view this information.

### About Sigstore

Sigstore is a collection of tools and services aimed at making it easy to use short-lived, ephemeral certificates to sign software. Its three main components are a CLI tool, a certificate authority, and a time-stamping transparency log.

The certificate authority federates with any OIDC provider that includes verifiable build information. It acts as an intermediary between build systems and package registries by verifying the integrity of the OIDC token, issues a signing certificate that contains that build information, and then logging the signing certificate to an immutable ledger.

The transparency log service provides a public, verifiable, tamper-evident ledger of signed attestations. This ensures transparency of the public service, as well as providing a way to detect attempts to tamper with a package if a package registry were to be compromised.

## Provenance limitations

- To publish a package with provenance, you must build your package with a supported cloud CI/CD provider using a cloud-hosted runner. Today this includes GitHub Actions and GitLab CI/CD.
- When a package in the npm registry has established provenance, it does not guarantee the package has no malicious code. Instead, npm provenance provides a verifiable link to the package's source code and build instructions, which developers can then audit and determine whether to trust it or not. For more information, see "[Searching for and choosing packages to download][provenance-info]."

## Prerequisites

Before you can publish your packages with provenance, you must:

- Review the [Linux Foundation Immutable Record notice](https://lfprojects.org/policies/hosted-project-tools-immutable-records/), which applies to the public transparency log.

- Install the latest version of the npm CLI (ensure you are on `9.5.0+` as older versions don't support npm provenance). For more information, see "[Try the latest stable version of npm][update-npm]."

- Ensure your `package.json` is configured with a public `repository` that matches (case-sensitive) where you are publishing with provenance from.

- Set up automation with a supported CI/CD provider to publish your packages to the npm registry. The following providers are supported:
  - GitHub Actions. For more information, see "[Publishing packages with provenance via GitHub Actions][github-provenance]."
  - GitLab CI/CD. For more information, see "[Publishing packages with provenance via GitLab CI/CD][gitlab-provenance]."

**Note:** If you use [trusted publishing](/trusted-publishers), provenance attestations are automatically generated for your packages without requiring the `--provenance` flag. This provides enhanced security and eliminates the need for access tokens in your CI/CD workflows.

## Publishing packages with provenance via GitHub Actions

In order to establish provenance, you must use a supported cloud CI/CD provider and a cloud-hosted runner to publish your packages. GitHub Actions is a supported CI/CD platform that allows you to automate software development tasks. For more information, see [GitHub Actions][github-actions] in the GitHub documentation.

To update your GitHub Actions workflow to publish your packages with provenance, you must:

- Give permission to mint an ID-token:

  ```yaml
  permissions:
    id-token: write
  ```

- Run on a [GitHub-hosted runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources):

  ```yaml
  runs-on: ubuntu-latest
  ```

- Add the `--provenance` flag to your publish command:

  ```sh
  npm publish --provenance
  ```

- If you are publishing a package for the first time you will also need to explicitly set access to public:

  ```sh
  npm publish --provenance --access public
  ```

### Example GitHub Actions workflow

This example workflow publishes a package to the npm registry with provenance.

```yaml
name: Publish Package to npmjs
on:
  release:
    types: [published]
jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20.x'
          registry-url: 'https://registry.npmjs.org'
      - run: npm ci
      - run: npm publish --provenance --access public
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
```

### Using third-party package publishing tools

If you publish your packages with tools that do not directly invoke the `npm publish` command, you can do one of the following in your GitHub Actions workflow to publish your packages with provenance.

- **Configure environment variables:** In your GitHub Actions workflow, you can use an environment variable called `NPM_CONFIG_PROVENANCE`, and set it to `true`.
- **Configure your `package.json` file:** You can add a `publishConfig` block to your `package.json` file:

  ```json
  "publishConfig": {
    "provenance": true
  },
  ```

- **Add an `.npmrc` file:** You can add an `.npmrc` file to your project with the following entry:

  ```ini
  provenance=true
  ```

<Note>

**Note:** To publish packages with provenance using Yarn, [v4.9.0](https://github.com/yarnpkg/berry/releases/tag/%40yarnpkg%2Fcli%2F4.9.0) or greater is required.

</Note>

## Publishing packages with provenance via GitLab CI/CD

In order to establish provenance, you must use a supported cloud CI/CD provider and a cloud-hosted runner to publish your packages. GitLab CI/CD is a supported CI/CD platform that allows you to automate software development tasks. For more information, see [Generating provenance in GitLab CI/CD][gitlab-ci-cd-docs] in the GitLab documentation.

### Example GitLab CI job

This example job publishes a package to the npm registry with provenance when a git tag is pushed. Don't forget to define the `NPM_TOKEN` variable in your GitLab project settings.

```yaml
publish:
  image: 'node:20'
  rules:
    - if: $CI_COMMIT_TAG
  id_tokens:
    SIGSTORE_ID_TOKEN:
      aud: sigstore
  script:
    - npm config set //registry.npmjs.org/:_authToken "$NPM_TOKEN"
    - npm publish --provenance --access public
```

## Verifying provenance attestations

You can verify the provenance attestations of downloaded packages with the following `audit` command:

```
npm audit signatures
```

Example response showing the count of verified registry signatures and verified attestations for all of the packages in a project:

```
audited 1267 packages in 6s

1267 packages have verified registry signatures

74 packages have verified attestations
```

Because provenance attestations are such a new feature, security features may be added to (or changed in) the attestation format over time. To ensure that you're always able to verify attestation signatures check that you're running the latest version of the npm CLI. Please note this often means updating npm beyond the version that ships with Node.js.

[provenance-info]: /searching-for-and-choosing-packages-to-download#package-provenance
[update-npm]: /try-the-latest-stable-version-of-npm
[github-provenance]: #publishing-packages-with-provenance-via-github-actions
[gitlab-provenance]: #publishing-packages-with-provenance-via-gitlab-cicd
[github-actions]: https://docs.github.com/en/actions
[understand-actions]: https://docs.github.com/en/actions/learn-github-actions/understanding-github-actions
[gitlab-ci-cd-docs]: https://docs.gitlab.com/ee/ci/yaml/signing_examples.html#use-sigstore-and-npm-to-generate-keyless-provenance
